Mercurial > hg > Blog

changeset 65:ea3c3db37cd9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Automated merge with ssh://xanthippe//home/dirk/Projekte/Blog
author Dirk Olmes <dirk@xanthippe.ping.de>
date Fri, 30 Oct 2015 02:17:27 +0100
parents 9693693301f2 (diff) ddd4e26ce4ad (current diff)
children 6cccb88e5527
files
diffstat 2 files changed, 32 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/content/.htaccess	Fri Oct 30 02:17:23 2015 +0100
+++ b/content/.htaccess	Fri Oct 30 02:17:27 2015 +0100
@@ -2,3 +2,5 @@
 ExpiresDefault "now plus 1 day"
 
 AddOutputFilterByType DEFLATE text/html text/css
+
+#Header set X-Pingback http://xanthippe.duckdns.org/pingback
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/content/Linux/nfs.md	Fri Oct 30 02:17:27 2015 +0100
@@ -0,0 +1,30 @@
+Title: NFS setup
+Date: 2015-07-30
+Lang: en
+
+I'm planning to put my [Raspberry Pi](https://www.raspberrypi.org/) back to use. I have always disliked its dependency on SD memory cards so I'm planning to put the Pi's root filesystem on NFS. The Pi side will be a topic for another blog post later, first I'll have to setup an NFS server on my main [Gentoo](https://www.gentoo.org) machine.
+
+The main NFS setup is described [on the Gentoo wiki](https://wiki.gentoo.org/wiki/NFS) in sufficient detail. I had a bit of a headache getting NFS through my [Shorewall](http://www.shorewall.net/) based firefall, though. There is a good section on NFS security in the [NFS-HOWTO](http://tldp.org/HOWTO/NFS-HOWTO/security.html) which describes all the necessary bits. And the Gentoo config files have all the required settings in their comments, too. It turns out that all you have to do is to put some configuration into place and the NFS server will play nicely with the firewall:
+
+In `/etc/sysctl.conf` these settings:
+
+    fs.nfs.nlm_tcpport = 4001
+    fs.nfs.nlm_udpport = 4001
+
+In `/etc/conf.d/nfs` enable these settings:
+
+    OPTS_RPC_MOUNTD="-p 32767"
+    OPTS_RPC_STATD="-p 32765 -o 32766"
+
+Now all NFS daemons should be locked down to specific ports so you can add appropriate shorewall rules:
+
+    ACCEPT    loc    fw    tcp    111  # portmapper
+	ACCEPT    loc    fw    udp    111
+	ACCEPT    loc    fw    tcp    2049 # rpc.nfsd
+	ACCEPT    loc    fw    udp    2049
+	ACCEPT    loc    fw    tcp    4001 # kernel lockd
+	ACCEPT    loc    fw    udp    4001
+	ACCEPT    loc    fw    tcp    32765:32767
+	ACCEPT    loc    fw    udp    32765:32767
+
+Restart the nfs service and the firewall. Now clients on the local network should be able to mount shares over NFS.